Providing Authentication for Tests
Most API endpoints require some form of user/client authentication. Effective security testing requires providing valid authentication credentials to Levo's autogenerated Test Plans.
This information can be provided in a secure, and structured manner via an
How do I use
environment.yml file is autogenerated per
Test Plan, and needs to be completed with appropriate authentication information, prior to the execution of the Test Plan.
The completed file is provided as an argument to the CLI. The CLI uses the credentials to access the target APIs and evaluate their security posture.
secrets sent to Levo SaaS?
environment.yml file contains
secrets and is never sent to, or stored in Levo SaaS. This file is solely consumed by the CLI, and Levo SaaS does not have access to your secrets.
Please treat this file securely, and take all precautions necessary for handling secrets.
What is the structure of this autogenerated file?
This section covers authentication for standard security tests. For test plans that involve
Horizontal Authorization Abuse, and
Vertical Authorization Abuse test cases, please refer to the
Providing Authorization Info section.
If the API endpoints you are testing have no role/scope information (used for granular authorization), and/or not susceptible to
Horizontal Authorization Abuse, then autogenerated file will have the below structure.
# Environment file that contains users, roles and their Authentication
# mechanisms that will be used by the API endpoints.
- name: user_1
default: true # This user's credentials will be used to access all API endpoints requiring AuthN
- name: bearerAuth
value: <Enter the bearer token>
The default authentication mechanism used by Levo is Bearer Authentication. You are required to provide
bearer tokens for the user above (
default: true for
user_1 specifies that this user's credentials will be used to access all API endpoints that require authentication.
Does Levo support other authentication methods?
The next section describes support for various standard and custom authentication methods.